Law 20,575: Establishes the use limitation principle in the treatment of personal data
Among other matters, this law establishes the use limitation principle in the treatment of personal data. This law will supplement our legislation on this matter, in particular Law 19,628 on Data Protection.
This law specifically focuses on the collection and treatment of personal data of an economic, financial, banking or commercial nature by data banks, distributors of personal records or personal data banks. It first specifies the disclosure and uses of personal data being handled and, second, it indicates certain requirements or obligations that must be adopted under the new law.
I. It specifies the disclosure of and uses to which personal data of an economic, financial, banking or commercial nature may be used.
In this sense, the use limitation principle must be adhered to in the treatment of personal data, which shall be exclusively for:
a) assessment of commercial risk; and
b) for credit bureau processes.
It also provides that this kind of data may only be disclosed to established merchants, for credit bureau processes and to entities that participate in the rating of commercial risk, and for that purpose only. Under no circumstances may this information be required in personnel selection, pre-school, school or higher education admission processes, emergency medical care or candidacies for public office.
II. Requirements and obligations to be complied with by the person in charge of data banks, distributors or personal records or data banks.
Article 3 of the law states that the persons in charge of data banks and distributors of personal records or data banks shall, when conducting their activity, implement the principles of:
Legitimacy;
Access and opposition;
Information;
Data quality;
Use limitation;
Proportionality;
Transparency;
Nondiscrimination;
Limited use; and
Secure handling of personal data.
The law requires the judge to take these principles into consideration in determining if due diligence was exercised in the treatment of personal data. It adds that the distributor or person in charge of the records or data banks will shoulder the burden of proof in showing the judge that he complied with the applicable obligations and that he acted with due diligence in handling the respective data. This means shifting the burden of proof to the data banks. We likewise note that it provides the following obligations, which must be adhered to in order to comply with the new law:
a) Having a system to record access and delivery of those data, indicating the name of the person who requested the same, the reason, date and time of the request, as well as the person responsible for delivering the information. This obligation will be effective six months after its publication in the Official Gazette.
b) The holders of commercial information may request, every four months (free of charge) the information included in that system over the previous 12 months.
c) Designate an individual in charge of data treatment, so that the data holders may contact the same to enforce their rights under the Data Protection Law.
d) Issue a certificate on demand by the holder of the information, for purposes other than risk evaluation in the credit bureau process. This certificate must only consider unpaid past-due obligations on the person’s record.